vskill
The package manager for AI skills.
Scan. Verify. Install. Across 49 agent platforms.
npx vskill install remotion-best-practices
The Problem
36.82% of AI skills have security flaws (Snyk ToxicSkills).
When you install a skill today, you're trusting blindly:
- No scanning — malicious prompts execute with full system access
- No versioning — silent updates can inject anything, anytime
- No deduplication — the same skill lives in 3 repos, all diverging
- No blocklist — known-bad skills install just fine
vskill fixes all of this.
How It Works
┌──────────┐ ┌──────────┐ ┌──────────┐ ┌──────────┐
│ Source │────>│ Scan │────>│ Verify │────>│ Install │
│ │ │ │ │ │ │ │
│ GitHub │ │ 38 rules │ │ LLM │ │ Pin SHA │
│ Registry │ │ Blocklist│ │ analysis │ │ Lock ver │
│ Local │ │ Patterns │ │ Intent │ │ Symlink │
└──────────┘ └──────────┘ └──────────┘ └──────────┘
Every install goes through the security pipeline. No exceptions. No --skip-scan.
Quick Start
# Install from any GitHub repo
npx vskill install remotion-dev/skills/remotion-best-practices
# Browse a repo and pick interactively
npx vskill install remotion-dev/skills
# Install a plugin (Claude Code)
npx vskill install --repo anton-abyzov/vskill --plugin mobile
Or install globally: npm install -g vskill
Getting E401 errors? If your project has a .npmrc pointing to a private registry (e.g. AWS CodeArtifact, GitHub Packages), npx may fail with npm error code E401. Fix it by overriding the registry:
npx --registry https://registry.npmjs.org vskill install <skill>
Or install globally once to avoid this entirely: npm i -g vskill --registry https://registry.npmjs.org
Three-Tier Verification
| Tier | How | Trust Level |
|---|
| Scanned | 38 deterministic pattern checks against known attack vectors | Baseline |
| Verified | Pattern scan + LLM-based intent analysis for subtle threats | Recommended |
| Certified | Full manual security review by the vskill team | Highest |
Every install is at minimum Scanned. The vskill.lock file tracks the SHA-256 hash, scan date, and tier for every installed skill. Running vskill update diffs against the locked version and re-scans before applying.
49 Agent Platforms
vskill auto-detects your installed agents and installs skills to all of them at once.
CLI & Terminal — Claude Code, Cursor, GitHub Copilot, Windsurf, Codex, Gemini CLI, Amp, Cline, Roo Code, Goose, Aider, Kilo, Devin, OpenHands, Qwen Code, Trae, and more
IDE Extensions — VS Code, JetBrains, Zed, Neovim, Emacs, Sublime Text, Xcode
Cloud & Hosted — Replit, Bolt, v0, GPT Pilot, Plandex, Sweep
Plugin Marketplace
vskill ships 7 expert skills organized into 5 domain plugins. Each plugin has its own namespace — install only what you need.
npx vskill install --repo anton-abyzov/vskill --plugin mobile
npx vskill install --repo anton-abyzov/vskill --plugin marketing
Then invoke as /plugin:skill in your agent:
/mobile:appstore /marketing:social-media-posting
/google-workspace:gws /skills:scout
Available Plugins
| Plugin | Description | Skills |
|---|
| mobile | React Native, Expo, Flutter, SwiftUI, Jetpack Compose, app store | appstore |
| marketing | Social media content creation, posting, and engagement across 11 platforms, plus Slack messaging | social-media-posting slack-messaging |
| google-workspace | Google Workspace CLI (gws) for Drive, Sheets, Docs, Calendar, Chat, Admin | gws |
| skills | Skill discovery and recommendations | scout |
| productivity | Expert network survey completion and paid expertise sharing | survey-passing |
Commands